ECSAv4 Module 02 Advanced Googling_NoRestriction

Advanced Penetration Testing Penetration Testing

and Security Analysis

Module 2Advanced Googling

Copyright © 2004 EC-Council. All rights reserved worldwide.EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

g g

Module Objective

This module will familiarize you with:

• Site Operator • intitle:index.of• error | warning• login | logong | g• admin | administrator• Google Advanced Search Form• Categorization of the Operators• Viewing Live Web Camsg• Locating Source Code with Common Strings• Locating Vulnerable Targets• Locating Targets Via Demonstration Pages• Locating Targets Via Source Codeg g• Vulnerable web Application Examples• Locating Targets Via CGI Scanning• A Single CGI Scan-Style Query• Directory Listings



y g• Web Server Software Error Messages• The Goolag Scanner

Site Operator

The site operator is absolutely invaluable during the The site operator is absolutely invaluable during the information-gathering phase of an assessment.

A site search can be used to gather information about the s te sea c ca be used to gat e o at o about t eservers and hosts that a target hosts.

Using simple reduction techniques, we can quickly get an g p q , q y gidea about a target’s online presence.

Consider the following simple example: g p psite:washingtonpost.com –site:www.washingtonpost.com

This query effectively locates pages on the hi t t d i th th



washingtonpost.com domain other than www.washingtonpost.com

Site Operator (cont’d)



intitle:index.of

intitle:index.of is the universal

In most cases, this search applies only to Apache-based servers, but due to the overwhelming number of Apache-derived web servers on

search for directory listings. of Apache derived web servers on

the Internet, there’s a good chance that the server you’re

profiling will be Apache-based.



intitle:index.of



error | warning

Error messages can reveal a great deal of information about a target.

Often overlooked, error messages can provide insight into the application or operating system software a target is running, the architecture of the network the target is on information about users on the system and much moretarget is on, information about users on the system, and much more.

Not only are error messages informative, they are prolific.

A query of intitle:error results in over 55 million results.



error | warning (cont’d)



login | logon

Login portals can reveal the software and operating system of a target and in many cases “self-help” documentation is linked target, and in many cases self help documentation is linked from the main page of a login portal.

These documents are designed to assist users who run into gproblems during the login process.

Whether the user has forgotten his or her password or even thi d t id l th t i ht h l username, this documents can provide clues that might help an

attacker.

Documentation linked from login portals lists email addresses, h b f h i h h lphone numbers, or URLs of human assistants who can help a

troubled user regain lost access.

These assistants or help desk operators are perfect targets for



These assistants, or help desk operators, are perfect targets for a social engineering attack.

login | logon (cont’d)



username | userid |employee ID | “your username is”employee.ID | your username is

There are many different ways to obtain a username from a target system.

Even though a username is the less important half of most authentication mechanisms, it should at least be marginally protected from outsiders.



password | passcode | “your password is”

The word “password” is so common on the Internet, there are over 73 million results for this one-word query.

During an assessment it’s very likely that results for During an assessment, it s very likely that results for this query combined with a site operator will include pages that provide help to users who have forgotten their passwords.

In some cases, this query will locate pages that provide policy information about the creation of a password.

This type of information can be used in an intelligent-guessing, or even a brute-force, campaign against a



g g, , p g gpassword field.

password | passcode | “your password is” (cont’d)password is (cont d)



admin | administrator

The word “administrator” is often used to describe the person in control of a network or system.

The word administrator can also be used to locate administrative login pages, or login portals.

The phrase “Contact your system administrator” is a fairly common phrase on the web, as are several basic derivations.

A query such as “please contact your * administrator” will return results that reference local company site department server system network database reference local, company, site, department, server, system, network, database, email, and even tennis administrators.

If a web user is told to contact an administrator, the odds are that there’s data of



at least moderate importance to a security tester.

admin | administrator (cont’d)



admin login

admin login reveals administrative login pages.



–ext:html –ext:htm–ext:shtml –ext:asp –ext:phpext:shtml ext:asp ext:php

The –ext:html –ext:htm –ext:shtml –ext:asp –ext:php query uses ext, a p p p q y ,synonym for the filetype operator, and is a negative query.

It returns no results when used alone and should be combined with a site It returns no results when used alone and should be combined with a site operator to work properly.

The idea behind this query is to exclude some of the most common The idea behind this query is to exclude some of the most common Internet file types in an attempt to find files that might be more interesting.



–ext:html –ext:htm –ext:shtml –ext:asp –ext:php (cont’d)ext:asp ext:php (cont d)



inurl:temp | inurl:tmp |inurl:backup | inurl:bakinurl:backup | inurl:bak

The inurl:temp | inurl:tmp | inurl:backup | inurl:bak query, combined with the p | p | p | q y,site operator searches for temporary or backup files or directories on a server.

Although there are many possible naming conventions for temporary or backup files, this search focuses on the most common terms.

Since this search uses the inurl operator, it will also locate files that contain these terms as file extensions, such as index.html.bak.



Google Advanced Search Form

Google’s advanced search form is easy to use and provides more options for the searchsearch.

It allows a user to select or prohibit pages with more accuracy.

It focuses on options, which results in more targeted and accurate search.

One can categorize the search by giving all word, exact phrase, or at least one word.

B f ll i h b l d i i i l f d d hBy following the below procedure, it is simple to perform an advanced search:

• Go to Google’s standard search text box.• Click on “Advanced search” at right side of the search box.



Google Advanced Search Form: ScreenshotForm: Screenshot



Categorization of the OperatorsOperators

Search Service Search OperatorsSearch Service Search Operators

Web Searchallinanchor:, allintext:, allintitle:, allinurl:, cache:, define:, filetype:, id:, inanchor:, info:, intext:, intitle:, inurl:, phonebook:, related:, rphonebook:, site:, stocks:,p , , p , , ,

Image Search allintitle:, allinurl:, filetype:, inurl:, intitle:, site:

Groupsallintext:, allintitle:, author:, group:, insubject:, intext:, i titlGroups intitle:

Directoryallintext:, allintitle:, allinurl:, ext:, filetype:, intext:, intitle:, inurl:

Newsallintext:, allintitle:, allinurl:, intext:, intitle:, inurl:, location:, source:

Froogle allintext:, allintitle:, store:



allinanchor:

allinanchor:

• The query with allinanchor restricts the results to the pages containing all the query terms in their inbound-links.A id th f th h t hil i • Avoid the use of any other search operators while using allinanchor.

• Example: “allinanchor: Longest river”: It ill t th lt th t t i ‘l t’ d ‘ i ’ i th • It will return the results that contain ‘longest’ and ‘river’ in the anchor text of the pages.



Screenshot - allinanchor:



allintext:

allintext:

• The query with allintext restricts the results to the pages containing all query terms only in the text (does not check g q y y (in the url, title).

• Example: “allintext: Best travel”:• It will return the results that contain ‘Best’ and ‘travel’ in the text

of the page.



Screenshot - allintext:



allintitle:

• The query with allintitle restricts results to pages containing

allintitle:

• The query with allintitle restricts results to pages containing all query terms specified in the title.

• Avoid the use of any other search operators while using allintitle.allintitle.

• Example: “allintitle: Vulnerability attacks”:• It will return the results which contain ‘vulnerability’ and ‘attacks’

in the title.• In image search, allintitle returns images that contain the

terms specified.



Screenshot - allintitle:



author:

author:

• The query with author includes newsgroup articles by the h ifi d i h author, specified in the query.

• The author name can be full name, partial name, or email ID.• Example: “Hacking author: Linda Lee”:

• It will return the articles that contain the word ‘Hacking’ written by ‘Linda Lee’.



Screenshot - author:



cache:

cache:

• The query cache:url displays Google’s cached version of a bweb page.

• Do not put a space between cache: and the URL.• Example: “cache:www.eccouncil.org”:

• It shows the cache version of “eccouncil”.



Screenshot - cache:



define:

define:

• The query with define shows definitions from pages on the b f h ifi d

f

web for the term specified.• It is useful for finding definitions of words, phrases, and

acronyms.E l “d fi h ki ”• Example: “define: hacking”:

• It shows the definitions for the term ‘Hacking’.



Screenshot - define:



filetype:

filetype:

• The query with filetype:suffix shows the result pages whose

f yp

The query with filetype:suffix shows the result pages whose names end in suffix.

• Example: “web attacks filetype:pdf”:• It returns Adobe Acrobat PDF files that match the term ‘web’ and It returns Adobe Acrobat PDF files that match the term web and

‘attacks’



Screenshot - filetype:



group:

group:

• The query with group restricts results to newsgroup articles

group:

The query with group restricts results to newsgroup articles from certain groups or subareas.

• Example: “ Sleep group:misc.kids”:• It returns articles in the subarea ‘misc.kids’ that contain the word It returns articles in the subarea misc.kids that contain the word

“sleep”.



Screenshot - group:



inanchor:

inanchor:

• Searches for the text representation of the link.• The query with inanchor restricts results to pages

containing the query terms specified.• Example: “restaurants inanchor: menu”:

• It returns pages with anchor text in the links to the pages i i h d “ ” d h i h d containing the word “menu” and the page contains the word

“restaurants”.



Screenshot - inanchor:



insubject:

insubject:

• The query with insubject restricts articles in Google group to t i i th t ifi dpages, containing the query terms specified.

• Example: “Insubject:“Security issue””:• It returns Google Group articles that contain the phrase

“S it i ” i th bj t“Security issue” in the subject.• It is equivalent to intitle:



Screenshot – in subject:



intext:

intext:

• The query with intext:term restricts results to documents

intext:

q ycontaining the term in the text.

• There must be no space between the intext: and the following word.

• Example: “intext:poem”



Screenshot - intext:



link:

link:

• The query with link:URL shows pages that point to that URLURL.

• Example: “link:www.googleguide.com”



Screenshot - link:



location:

location:

• The query with location will show articles from Google q y gNews, and only from the location specified.

• Example: “Hackers location: China”:• It shows articles that match the term “Hackers” from sites in

China.



Screenshot - location:



Viewing Live Web Cams

You can find out live security cameras, traffic monitoringYou can find out live security cameras, traffic monitoringcameras and many more using simple Google searchoperators like: inurl, intitle, and intext.

These cameras generally use known protocols, which makesit easy for anyone to access them.it easy for anyone to access them.

Following are a few Google search links to find publiclyaccessible live streaming feeds:



Viewing Live Web Cams (cont’d)(cont d)

inurl:/view.shtml

intitle:”Live View / - AXIS” | inurl:view/view.shtml^

inurl:ViewerFrame?Mode=

inurl:ViewerFrame?Mode=Refresh

inurl:axis cgi/jpginurl:axis-cgi/jpg

allintitle:”Network Camera NetworkCamera”

intitle:axis intitle:”video server”

intitle:liveapplet inurl:LvAppl



intitle:”EvoCam” inurl:”webcam.html”

Screenshot - Live Web CamsCams



ffi i lAt a Traffic Signal



Live Web Cams – Traffic Signals 1Signals 1






























intranet | help.desk

The term intranet despite more specific The term intranet, despite more specific technical meanings, has become a generic term that describes a network confined to a small group.

In most cases the term intranet describes a closed or private network, unavailable to closed or private network, unavailable to the general public.

Many sites have configured portals that Many sites have configured portals that allow access to an intranet from the Internet, bringing this typically closed network one step closer to potential attackers



attackers.

Locating Public Exploit Sites

One way to locate exploit code is to focus on the file extension of the source code and then search for specific content within that codesearch for specific content within that code.

Since source code is the text-based representation of the difficult-to-read machine code, Google is well suited for this task.

For example, a large number of exploits are written in C, which generally uses source code ending in a .c extension.

A query for filetype:c exploit returns around 5,000 results, most of which are exactly the q y f yp p 5, , ytypes of programs we’re looking for.

These are the most popular sites hosting C source code containing the word exploit, the returned list is a good start for a list of bookmarks.

Using page-scraping techniques, we can isolate these sites by running a UNIX command against the dumped Google results page.



grep Cached exp | awk –F" –" '{print $1}' | sort –u

Locating Exploits via Common Code StringsCommon Code Strings

Another way to locate exploit code is to focus on common strings within the source code itself.

One way to do this is to focus on common inclusions or header file referencesOne way to do this is to focus on common inclusions or header file references.

For example, many C programs include the standard input/output library f ti hi h f d b i l d t t t h #i l d functions, which are referenced by an include statement such as #include <stdio.h> within the source code.

A query like this would locate C source code that contained the word exploit A query like this would locate C source code that contained the word exploit, regardless of the file’s extension.



“#include <stdio.h>” “Usage” exploit

Searching for Exploit Code with Nonstandard Extensionswith Nonstandard Extensions



Locating Source Code with Common StringsCommon Strings



Locating Vulnerable Targets

Attackers are increasingly using Google to locate web-based targets that are vulnerable to specific exploits.p p

In fact, it’s not uncommon for public vulnerability announcements to contain Google links to potentially vulnerable targets.



Locating Targets via Demonstration PagesDemonstration Pages

Our goal is to develop a query string to locate vulnerable targets on the web; the vendor’s website is a good place to discover what exactly the product’s web pages look likewebsite is a good place to discover what exactly the product s web pages look like.

For example, some administrators might modify the format of a vendor-supplied web page to fit the theme of the site.

These types of modifications can impact the effectiveness of a Google search that targets a vendor-supplied page format.

We can find that most sites look very similar and that nearly every site has a “powered by” message at the bottom of the main page.



“Powered by” Tags are Common Query Fodder for Finding Web ApplicationsFodder for Finding Web Applications



Locating Targets via Source CodeCode

Let’s take a look at how a hacker might use the source code of a program to g p gdiscover ways to search for that software with Google.

To find the best search string to locate potentially vulnerable targets, we can visit g p y g ,the web page of the software vendor to find the source code of the offending software.

In cases where source code is not available an attacker might opt to simply In cases where source code is not available, an attacker might opt to simply download the malicious software and run it on a machine he controls to get ideas for potential searches.



Vulnerable Web Application ExamplesExamples



Vulnerable Web Application Examples (cont’d)Examples (cont d)



Locating Targets via CGI ScanningScanning

One of the oldest and most familiar techniques for locating vulnerable web servers is through the use of a CGI scanner.g

These programs parse a list of known “bad” or vulnerable web files and attempt to locate those files on a web server.

Based on various response codes, the scanner could detect the presence of these potentially p , p p yvulnerable files.

A CGI scanner can list vulnerable files and directories in a data file, such as:



A Single CGI Scan-Style Query

Example: search for inurl:/cgi-bin/userreg.cgi



Directory Listings

The server tag at the bottom of a directory listing can provide explicit detail about the type of web server software that’s running web server software that s running.

If an attacker has an exploit for Apache 2.0.52 running on a UNIX server, a query such as server.at “Apache/2.0.52” will locate servers that host a directory listing with an Apache 2 0 52 server tag2.0.52 server tag.



Finding IIS 5.0 Servers

Query for “Microsoft-IIS/5.0 server at”



Web Server Software Error MessagesMessages

Error messages contain a lot of useful information, but in the context of locating specific servers, we can use portions of various error messages to locate servers running specific , p g g psoftware versions.

The absolute best way to find error messages is to figure out what messages the server is capable of generating.

You could gather these messages by examining the server source code or configuration files or by actually generating the errors on the server yourself.

The best way to get this information from IIS is by examining the source code of the error pages themselves.

IIS 5 and 6, by default, display static HTTP/1.1 error messages when the server encounters some sort of problem.

These error pages are stored by default in the %SYSTEMROOT%\help\iisHelp\common



These error pages are stored by default in the %SYSTEMROOT%\help\iisHelp\common directory.

Web Server Software Error Messages (cont’d)Messages (cont d)

A query such as intitle: “The page cannot be found” “please following” “Internet * S i ” b d t h f IIS th t t 400 Services” can be used to search for IIS servers that present a 400 error.



IIS HTTP/1.1 Error Page Titles



IIS HTTP/1.1 Error Page Titles (cont’d)(cont d)



“Object Not Found” Error Message Used to Find IIS 5 0Message Used to Find IIS 5.0



Apache Web Server

Apache web servers can also be located by focusing on server-generated error messages.

Some generic searches such as “Apache/1.3.27 Server at” -intitle:index.of intitle:inf” or “Apache/1.3.27 Server at” -intitle:index.of intitle:error



Apache 2.0 Error Pages



Application Software Error MessagesMessages

Although this ASP message is fairly benign, some ASP error messages are Although this ASP message is fairly benign, some ASP error messages are much more revealing.

Consider the query “ASP.NET_SessionId”“data source=”, which locates unique strings found in ASP.NET application state dumps.

These dumps reveal all sorts of information about the running application and the web server that hosts that application.

An advanced attacker could use encrypted password data and variable information in these stack traces to subvert the security of the application

d h h b i lf



and perhaps the web server itself.

ASP Dumps Provide Dangerous DetailsDangerous Details



Many Errors Reveal Pathnames and Filenamesand Filenames



CGI Environment Listings Reveal Lots of InformationReveal Lots of Information



Default Pages

Another way to locate specific types of servers or web software is to search for y p ypdefault web pages.

Most web software, including the web server software itself, ships with one or , g , pmore default or test pages.

These pages can make it easy for a site administrator to test the installation of a p g yweb server or application.

Google crawls a web server while it is in its earliest stages of installation, still displaying a set of default pages.

In these cases, there’s generally a short window of time between the moment when Google crawls the site and when the intended content is actually placed on



when Google crawls the site and when the intended content is actually placed on the server.

A Typical Apache Default Web PageDefault Web Page



Locating Default Installations of IIS 4 0 on Windows NT 4 0/OPIIS 4.0 on Windows NT 4.0/OP



Default Pages Query for Web ServerServer

Many different types of web servers can be located by querying for default llpages as well.



Outlook Web Access Default PortalPortal

Query allinurl:”exchange/logon.asp”



Searching for Passwords

Password data, one of the “Holy Grails” during a penetration test, should be protected.

Unfortunately, many examples of Google queries can be used to locate passwords on the web.



Windows Registry Entries can Reveal PasswordsReveal Passwords

A query, such as filetype:reg intext: “internet account manager” could reveal interesting keys containing password data.interesting keys containing password data.



Usernames, Cleartext Passwords and HostnamesPasswords, and Hostnames

A search for password information intext:(password | passcode | pass) A search for password information, intext:(password | passcode | pass) intext:(username | userid | user), combines common words for passwords and user IDs into one query.



Goolag Scanner

“Goolag Scanner” is a software published by a famous hacker group, “Cult f h dof the Dead Cow (CDC)”.

This software turns Google’s search engine into a vulnerability scannerThis software turns Google s search engine into a vulnerability scanner.

It allows to scan websites or Internet domains for vulnerabilitiesIt allows to scan websites or Internet domains for vulnerabilities.

It works on the “Dork” pattern:It works on the Dork pattern:

• Dork is a search pattern used with Google's search engine.• The results of a dork search explores possible security attacks.



o do p o po b y

Features of Goolag

Goolag scanner uses simple and readable xml documents.

It simplifies the use of myriad numbers of dorks to a few mouse clicksIt simplifies the use of myriad numbers of dorks to a few mouse clicks.

Knowledge of cryptic command line options and Google hacking basics are not required to use this scannerrequired to use this scanner.

It helps to check the website before criminals can attack weak points.



Goolag Scanner ScreenshotScreenshot



Summary

In this module, we have reviewed Google penetration t ti

We have discussed the advanced

testing.

We have discussed the advanced Google techniques:

• Overview of software error messages• Overview of default pages• Explanation of techniques to reveal password

L ti t t • Locating targets • Searching passwords









ECSAv4 Module 02 Advanced Googling_NoRestriction

Documents

ECSAv4 Module 02 Advanced Googling_NoRestriction